Back to overview

CVE-2026-54243

MEDIUM
6.1
CVSS 3.1
Description
Statamic is a Laravel and Git powered content management system (CMS). Prior to 5.73.24 and 6.20.1, form submission values in src/Forms/Exporters/CsvExporter.php were not neutralized for spreadsheet formula characters when exported to CSV. A submission containing a value beginning with a formula trigger character, such as =, +, -, or @, could be interpreted as a live formula when a Control Panel user opens the export in a spreadsheet application. Form submissions can come from unauthenticated front-end visitors, so the malicious value can be supplied by an anonymous user and is later triggered by an editor opening the export. This issue is fixed in versions 5.73.24 and 6.20.1.

Metadata

CVE ID
CVE-2026-54243
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-12 16:25 UTC
Published
2026-07-17 20:24 UTC
Last updated
2026-07-17 20:24 UTC
Primary CWE
CWE-1236
CWE-1236: Improper Neutralization of Formula Elements in a C…
Vendor / Product
statamic / cms
Sources
cve.org  ·  NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
statamic cms < 5.73.24, >= 6.0.0, < 6.20.1
Weakness (CWE)
CWESourceDescription
CWE-1236 cna CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.1 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
References (5)
Back to overview